Hello everyone,
I'm trying to write a super weird ACL or looking for a better way to
handle the following problem:
Our UNIX systems query OpenLDAP to get gidNumber for people logging
in. One such gidNumber puts a person in the sysadmin group, but
people aren't not admins of all the servers, so that gidNumber
should only be released to certain servers.
Currently, the lookup is done with a SASL bind and a DN specific to
each machine. So, should I (and can I) make an ACL that says "in
the cn=accounts branch, release all attributes but only release
gidNumber=100 if the person asking is dn=omega." ??

You didn't specify what version of OpenLDAP you're asking about.
Try reading slapd.access(5).

access to attr=gidnumber val=100 by dn=omega read

You must of course be using a recent 2.2 release for the above to work.
--
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.comhttp://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support